Ubuntu/syslog: Difference between revisions
< Ubuntu
| Line 5: | Line 5: | ||
== Remote syslog == | == Remote syslog == | ||
=== Send === | |||
Easy: | |||
/etc/rsyslog.d/10-rsyslog.conf | |||
*.* @remote.server:514 | |||
service rsyslog restart | |||
# or | |||
systemctl restart rsyslog | |||
=== Receive === | |||
/etc/rsyslog.conf | /etc/rsyslog.conf | ||
| Line 12: | Line 25: | ||
Test: | Test: | ||
logger "hello" --server [HOST] --port 514 | logger "hello" --server [HOST] --port 514 | ||
# or | |||
logger "hello" -n [host] -P 514 | |||
# or | |||
logger "hello" -n [host] | |||
Capture traffic example: <ref>https://ubuntuforums.org/showthread.php?t=2457983</ref> | |||
sudo tcpdump -n dst port 514 -v | |||
<pre> | |||
192.168.0.12.36097 > 192.168.0.11.514: SYSLOG, length: 122 | |||
Facility user (1), Severity notice (5) | |||
Msg: 1 2021-02-13T18:18:47.193781+00:00 ubuntu ubuntu - - [timeQuality tzKnown="1" isSynced="1" syncAccuracy="284500"] Test | |||
</pre> | |||
To have each system store in seperate file: <ref>https://www.linkedin.com/pulse/how-install-set-up-rsyslog-server-linux-ubuntu-20041-akshay-sharma</ref> | |||
input(type="imtcp" port="514") | |||
$template RemInputLogs, "/var/log/remotelogs/%FROMHOST-IP%/%PROGRAMNAME%.log" | |||
*.* ?RemInputLogs | |||
Modified: | Modified: | ||
Revision as of 22:59, 1 January 2025
Managed by rsyslog
See syslog
Remote syslog
Send
Easy:
/etc/rsyslog.d/10-rsyslog.conf *.* @remote.server:514
service rsyslog restart # or systemctl restart rsyslog
Receive
/etc/rsyslog.conf
systemctl restart rsyslog
Test:
logger "hello" --server [HOST] --port 514 # or logger "hello" -n [host] -P 514 # or logger "hello" -n [host]
Capture traffic example: [1]
sudo tcpdump -n dst port 514 -v
192.168.0.12.36097 > 192.168.0.11.514: SYSLOG, length: 122
Facility user (1), Severity notice (5)
Msg: 1 2021-02-13T18:18:47.193781+00:00 ubuntu ubuntu - - [timeQuality tzKnown="1" isSynced="1" syncAccuracy="284500"] Test
To have each system store in seperate file: [2]
input(type="imtcp" port="514") $template RemInputLogs, "/var/log/remotelogs/%FROMHOST-IP%/%PROGRAMNAME%.log"
- .* ?RemInputLogs
Modified:
################# #### MODULES #### ################# module(load="imuxsock") # provides support for local system logging module(load="immark") # provides --MARK-- message capability # provides UDP syslog reception module(load="imudp") input(type="imudp" port="514") # provides TCP syslog reception module(load="imtcp") input(type="imtcp" port="514") # provides kernel logging support and enable non-kernel klog messages module(load="imklog" permitnonkernelfacility="on")
Before:
################# #### MODULES #### ################# module(load="imuxsock") # provides support for local system logging #module(load="immark") # provides --MARK-- message capability # provides UDP syslog reception #module(load="imudp") #input(type="imudp" port="514") # provides TCP syslog reception #module(load="imtcp") #input(type="imtcp" port="514") # provides kernel logging support and enable non-kernel klog messages module(load="imklog" permitnonkernelfacility="on")